A recent cyberattack campaign has emerged, specifically targeting Ukraine’s drone sector, including military units, supply chains, and volunteer organizations. This campaign has been linked to a newly identified group known as GhostShell, designated with the tracking label MB-0009. Researchers from Synaptic Systems report that this group has been operational since at least February 2026.
Attack Mechanism
GhostShell employs a technique known as a decoy document to ensnare its targets. The group disseminates a malicious compressed file named Besomar_documentation.rar. When this file is extracted, it stealthily deposits a script in the Windows Startup folder, ensuring the malware executes each time the system starts.
Victims initially encounter seemingly benign PDF documents written in Ukrainian, purporting to originate from Besomar, a legitimate Ukrainian defense drone manufacturer. These counterfeit PDFs contain topics related to drone configurations and charging stations, enhancing the believability of the ruse.
Background Data Theft
After the initial activation, the hidden script initiates contact with a server named cloudaxiscc to download additional malicious software. Synaptic Systems has pinpointed three significant files related to this scheme: 122.exe, 22.exe, and update.exe.
The key file, 122.exe, functions as a surveillance tool, capturing screenshots of the victim’s desktop and gathering system information before relaying this data to a server identified as cdnexpress.cc. The file update.exe conceals itself as a legitimate Windows security service, employing a link to a Telegram page to interact with its command infrastructure.
Additionally, the file labeled 22.exe serves to deploy a notorious data-stealing application known as Vidar v2. This malware subsequently harvests saved internet credentials, browsing history, and cryptocurrency wallet information from the compromised device.
In their technical report, Synaptic Systems advised caution in attributing this campaign to a specific nation, despite its goal to disrupt Ukrainian defense initiatives. Using an analytical approach termed the SOLBIT model, the researchers emphasized that superficial characteristics, such as language patterns, are easily fabricated by adversaries.
For the time being, GhostShell is regarded as a well-organized group of cybercriminals, with ongoing monitoring to preempt future threats. This incident highlights the increasing vulnerabilities faced by critical sectors and the need for heightened cybersecurity measures.
Photo by Yulii Shtel on Unsplash